package org.directwebremoting.impl;

import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.validator.Validator;
import org.directwebremoting.WebContextFactory;
import org.directwebremoting.extend.AccessControl;
import org.directwebremoting.extend.AccessDeniedException;
import org.directwebremoting.extend.Creator;
import org.directwebremoting.extend.LoginRequiredException;
import org.directwebremoting.util.Messages;

/* loaded from: input_file:WEB-INF/lib/dwr-2.0.2.jar:org/directwebremoting/impl/DefaultAccessControl.class */
public class DefaultAccessControl implements AccessControl {
    protected boolean exposeInternals = false;
    protected Map policyMap = new HashMap();
    protected Map roleRestrictMap = new HashMap();
    protected static final String PACKAGE_DWR_DENY = "org.directwebremoting.";
    static Class class$java$lang$Object;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/dwr-2.0.2.jar:org/directwebremoting/impl/DefaultAccessControl$Policy.class */
    public static class Policy {
        boolean defaultAllow = true;
        List rules = new ArrayList();

        Policy() {
        }
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void assertExecutionIsPossible(Creator creator, String str, Method method) throws SecurityException {
        assertIsRestrictedByRole(str, method);
        assertIsDisplayable(creator, str, method);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void assertIsDisplayable(Creator creator, String str, Method method) throws SecurityException {
        assertIsMethodPublic(method);
        assertIsExecutable(str, method.getName());
        assertIsNotOnBaseObject(method);
        if (this.exposeInternals) {
            return;
        }
        assertIsClassDwrInternal(creator);
        assertAreParametersDwrInternal(method);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void addRoleRestriction(String str, String str2, String str3) {
        String stringBuffer = new StringBuffer().append(str).append('.').append(str2).toString();
        Set set = (Set) this.roleRestrictMap.get(stringBuffer);
        if (set == null) {
            set = new HashSet();
            this.roleRestrictMap.put(stringBuffer, set);
        }
        set.add(str3);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void addIncludeRule(String str, String str2) {
        Policy policy = getPolicy(str);
        if (policy.defaultAllow) {
            if (policy.rules.size() > 0) {
                throw new IllegalArgumentException(Messages.getString("DefaultAccessControl.MixedIncludesAndExcludes", str));
            }
            policy.defaultAllow = false;
        }
        policy.rules.add(str2);
    }

    @Override // org.directwebremoting.extend.AccessControl
    public void addExcludeRule(String str, String str2) {
        Policy policy = getPolicy(str);
        if (!policy.defaultAllow) {
            if (policy.rules.size() > 0) {
                throw new IllegalArgumentException(Messages.getString("DefaultAccessControl.MixedIncludesAndExcludes", str));
            }
            policy.defaultAllow = true;
        }
        policy.rules.add(str2);
    }

    protected void assertIsRestrictedByRole(String str, Method method) {
        Set roleRestrictions = getRoleRestrictions(str, method.getName());
        if (roleRestrictions == null || roleRestrictions.isEmpty()) {
            return;
        }
        HttpServletRequest httpServletRequest = WebContextFactory.get().getHttpServletRequest();
        assertAuthenticationIsValid(httpServletRequest);
        assertAllowedByRoles(httpServletRequest, roleRestrictions);
    }

    protected Set getRoleRestrictions(String str, String str2) {
        return (Set) this.roleRestrictMap.get(new StringBuffer().append(str).append('.').append(str2).toString());
    }

    protected void assertAuthenticationIsValid(HttpServletRequest httpServletRequest) throws SecurityException {
        httpServletRequest.getSession();
        if (!httpServletRequest.isRequestedSessionIdValid()) {
            throw new LoginRequiredException(Messages.getString("DefaultAccessControl.DeniedByInvalidSession"));
        }
        if (httpServletRequest.getRemoteUser() == null) {
            throw new LoginRequiredException(Messages.getString("DefaultAccessControl.DeniedByAuthenticationRequired"));
        }
    }

    protected void assertAllowedByRoles(HttpServletRequest httpServletRequest, Set set) throws SecurityException {
        Iterator it = set.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if ("*".equals(str) || httpServletRequest.isUserInRole(str)) {
                return;
            }
        }
        throw new AccessDeniedException(Messages.getString("DefaultAccessControl.DeniedByJ2EERoles", set.toString()));
    }

    protected void assertIsMethodPublic(Method method) {
        if (!Modifier.isPublic(method.getModifiers())) {
            throw new SecurityException(Messages.getString("DefaultAccessControl.DeniedNonPublic"));
        }
    }

    protected void assertIsNotOnBaseObject(Method method) {
        Class<?> cls;
        Class<?> declaringClass = method.getDeclaringClass();
        if (class$java$lang$Object == null) {
            cls = class$(Validator.BEAN_PARAM);
            class$java$lang$Object = cls;
        } else {
            cls = class$java$lang$Object;
        }
        if (declaringClass == cls) {
            throw new SecurityException(Messages.getString("DefaultAccessControl.DeniedObjectMethod"));
        }
    }

    protected void assertIsExecutable(String str, String str2) throws SecurityException {
        Policy policy = (Policy) this.policyMap.get(str);
        if (policy == null) {
            return;
        }
        String str3 = null;
        Iterator it = policy.rules.iterator();
        while (it.hasNext() && str3 == null) {
            String str4 = (String) it.next();
            if (str2.equals(str4)) {
                str3 = str4;
            }
        }
        if (policy.defaultAllow && str3 != null) {
            throw new SecurityException(Messages.getString("DefaultAccessControl.DeniedByAccessRules"));
        }
        if (!policy.defaultAllow && str3 == null) {
            throw new SecurityException(Messages.getString("DefaultAccessControl.DeniedByAccessRules"));
        }
    }

    protected void assertAreParametersDwrInternal(Method method) {
        for (int i = 0; i < method.getParameterTypes().length; i++) {
            if (method.getParameterTypes()[i].getName().startsWith(PACKAGE_DWR_DENY)) {
                throw new SecurityException(Messages.getString("DefaultAccessControl.DeniedParamDWR"));
            }
        }
    }

    protected void assertIsClassDwrInternal(Creator creator) {
        if (creator.getType().getName().startsWith(PACKAGE_DWR_DENY)) {
            throw new SecurityException(Messages.getString("DefaultAccessControl.DeniedCoreDWR"));
        }
    }

    protected Policy getPolicy(String str) {
        Policy policy = (Policy) this.policyMap.get(str);
        if (policy == null) {
            policy = new Policy();
            this.policyMap.put(str, policy);
        }
        return policy;
    }

    public void setExposeInternals(boolean z) {
        this.exposeInternals = z;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
